analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Unhide Files.bat

Full analysis: https://app.any.run/tasks/2b5dac33-d2b3-4858-a2c6-d5a2dbf5e9c7
Verdict: Malicious activity
Analysis date: November 16, 2019, 20:50:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

ED321251DC3B4F175E68BE78E694474D

SHA1:

9E72DA35F476589E57754A6768E9914D7717F2E0

SHA256:

F335F7098DE9B44F3849B8ADA84FCCA1AC09ED00F8936D60CB3CF8D085EEA2E5

SSDEEP:

12288:wnVHDWx5jouKbs3wPDdI3N4Pgq9vJvSuuqngHAJ:wnc/YsgrgN45

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • eng.exe (PID: 2884)
      • rf.exe (PID: 3996)
      • cmd.exe (PID: 2824)
      • cmd.exe (PID: 1740)
      • cmd.exe (PID: 3212)
      • cmd.exe (PID: 3664)
      • cmd.exe (PID: 892)
      • cmd.exe (PID: 3824)
      • cmd.exe (PID: 1252)
      • cmd.exe (PID: 2748)
      • cmd.exe (PID: 2552)
      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 2092)
      • cmd.exe (PID: 1212)
      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 3372)
      • cmd.exe (PID: 1796)
      • cmd.exe (PID: 3616)
      • cmd.exe (PID: 3544)
      • cmd.exe (PID: 3192)
      • cmd.exe (PID: 4032)
      • svcnosts.exe (PID: 2136)
      • cmd.exe (PID: 2788)
      • cmd.exe (PID: 3820)
      • svcnost.exe (PID: 2428)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2824)

    • Changes the autorun value in the registry

      • rf.exe (PID: 3996)

  • SUSPICIOUS

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2824)
      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 3616)
      • cmd.exe (PID: 2092)
      • cmd.exe (PID: 1796)
      • cmd.exe (PID: 1816)

    • Creates executable files which already exist in Windows

      • rf.exe (PID: 3996)

    • Executable content was dropped or overwritten

      • rf.exe (PID: 3996)
      • cmd.exe (PID: 2824)
      • eng.exe (PID: 2884)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2824)
      • rf.exe (PID: 3996)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1740)
      • cmd.exe (PID: 2824)

    • Modifies the open verb of a shell class

      • rf.exe (PID: 3996)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • rf.exe (PID: 3996)

    • Starts itself from another location

      • svcnosts.exe (PID: 2136)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bib/bibtex/txt | BibTeX references (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
105
Monitored processes
51
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start cmd.exe eng.exe attrib.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs reg.exe no specs ping.exe no specs rf.exe cmd.exe no specs cacls.exe no specs cmd.exe no specs ping.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs reg.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs cmd.exe no specs cacls.exe no specs svcnosts.exe no specs svcnost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2824cmd /c ""C:\Users\admin\AppData\Local\Temp\Unhide Files.bat" "C:\Windows\system32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2884"C:\Users\admin\AppData\Local\Temp\rlgms25586\eng.exe" "C:\Users\admin\AppData\Local\Temp\rlgms25586\sk.js"C:\Users\admin\AppData\Local\Temp\rlgms25586\eng.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1928attrib * -s /d C:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2160attrib * -h /d C:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3812attrib * -h -s /d C:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1740C:\Windows\system32\cmd.exe /c REG QUERY HKCU\SOFTWARE\btC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1504REG QUERY HKCU\SOFTWARE\btC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2124ping 127.0.0.1 -n 2 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3996"C:\Users\admin\AppData\Local\Temp\rlgms25586\rf.exe" rlcC:\Users\admin\AppData\Local\Temp\rlgms25586\rf.exe
eng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
1.0.0.0
2748"C:\Windows\system32\cmd.exe" /c cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /tC:\Windows\system32\cmd.exerf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
669
Read events
635
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
2
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
2824cmd.exeC:\Users\admin\AppData\Local\Temp\rlgms25586\unrf.dllbib
MD5:ED321251DC3B4F175E68BE78E694474D
SHA256:F335F7098DE9B44F3849B8ADA84FCCA1AC09ED00F8936D60CB3CF8D085EEA2E5
3996rf.exeC:\sefera\Jnt\xyauuoouy\svcnost.exeexecutable
MD5:C94D686FB13A835355299C992EE8E594
SHA256:BEEF68C9C19D5E0A2A7EBEB97C10373EEAA88F87741573B9D1027F523C98076E
2884eng.exeC:\Users\admin\AppData\Local\Temp\rlgms25586\rf.exeexecutable
MD5:43935A2B61416385736FDF2D0D4BDFCC
SHA256:C5F21CBEAA15988A6E0887A1FD3B652DA9E8FFECC60D207E9513930CFF2CD965
3996rf.exeC:\sefera\Jnt\xyauuoouy\svcnosts.exeexecutable
MD5:C94D686FB13A835355299C992EE8E594
SHA256:BEEF68C9C19D5E0A2A7EBEB97C10373EEAA88F87741573B9D1027F523C98076E
3996rf.exeC:\sefera\Jnt\xyauuoouy\gotera.bmpbinary
MD5:CAC17D4A6C7489D29F523FB4D9A7EA25
SHA256:AC1D3CDA8A70C5FFDAA00C5B770BDA2660569B3B270F9775337C8E8C9B3BFE5B
3996rf.exeC:\System_VoIume_lnformation\Jnt\tajerihuh\explorers.exeexecutable
MD5:C94D686FB13A835355299C992EE8E594
SHA256:BEEF68C9C19D5E0A2A7EBEB97C10373EEAA88F87741573B9D1027F523C98076E
3996rf.exeC:\System_VoIume_lnformation\Jnt\tajerihuh\gotera.bmpbinary
MD5:CAC17D4A6C7489D29F523FB4D9A7EA25
SHA256:AC1D3CDA8A70C5FFDAA00C5B770BDA2660569B3B270F9775337C8E8C9B3BFE5B
2824cmd.exeC:\Users\admin\AppData\Local\Temp\rlgms25586\sk.jstext
MD5:3ABAFFE780DACFD3C83A6D79D3456CD1
SHA256:1D16BCFDCC3ACBD37D4E39E07DF2FA6F496FB4B9998D6F1D83C5E076860AFC6B
3996rf.exeC:\System_VoIume_lnformation\Jnt\tajerihuh\bmz\explorer.exeexecutable
MD5:AD7B9C14083B52BC532FBA5948342B98
SHA256:17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
3996rf.exeC:\sefera\Jnt\xyauuoouy\desktop.iniini
MD5:ADC4B5D4444D26293DC782B6238CA6F0
SHA256:ABE8A5933FF450A89B8E9A736F08874B43B7355D17FFE6540C4A6EAD0F0995D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2428
svcnost.exe
151.101.1.195:443
clear-march.firebaseapp.com
Fastly
US
malicious

DNS requests

Domain
IP
Reputation
clear-march.firebaseapp.com
  • 151.101.1.195
  • 151.101.65.195
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Unhide Files.bat